OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/net/chrome_fraudulent_certificate_reporter.h" | 5 #include "chrome/browser/net/certificate_error_reporter.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 | 8 |
9 #include "base/base64.h" | |
10 #include "base/logging.h" | 9 #include "base/logging.h" |
11 #include "base/profiler/scoped_tracker.h" | |
12 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
13 #include "base/time/time.h" | 11 #include "base/time/time.h" |
14 #include "chrome/browser/net/cert_logger.pb.h" | 12 #include "chrome/browser/net/cert_logger.pb.h" |
15 #include "net/base/elements_upload_data_stream.h" | 13 #include "net/base/elements_upload_data_stream.h" |
16 #include "net/base/load_flags.h" | 14 #include "net/base/load_flags.h" |
17 #include "net/base/request_priority.h" | 15 #include "net/base/request_priority.h" |
18 #include "net/base/upload_bytes_element_reader.h" | 16 #include "net/base/upload_bytes_element_reader.h" |
19 #include "net/cert/x509_certificate.h" | 17 #include "net/cert/x509_certificate.h" |
20 #include "net/ssl/ssl_info.h" | 18 #include "net/ssl/ssl_info.h" |
21 #include "net/url_request/url_request_context.h" | 19 #include "net/url_request/url_request_context.h" |
22 | 20 |
23 namespace chrome_browser_net { | 21 namespace chrome_browser_net { |
24 | 22 |
25 // TODO(palmer): Switch to HTTPS when the error handling delegate is more | 23 CertificateErrorReporter::CertificateErrorReporter( |
26 // sophisticated. Ultimately we plan to attempt the report on many transports. | 24 net::URLRequestContext* request_context, |
27 static const char kFraudulentCertificateUploadEndpoint[] = | 25 const GURL& upload_url) |
28 "http://clients3.google.com/log_cert_error"; | 26 : request_context_(request_context), upload_url_(upload_url) { |
29 | 27 DCHECK(!upload_url.is_empty()); |
30 ChromeFraudulentCertificateReporter::ChromeFraudulentCertificateReporter( | |
31 net::URLRequestContext* request_context) | |
32 : request_context_(request_context), | |
33 upload_url_(kFraudulentCertificateUploadEndpoint) { | |
34 } | 28 } |
35 | 29 |
36 ChromeFraudulentCertificateReporter::~ChromeFraudulentCertificateReporter() { | 30 CertificateErrorReporter::~CertificateErrorReporter() { |
37 STLDeleteElements(&inflight_requests_); | 31 STLDeleteElements(&inflight_requests_); |
38 } | 32 } |
39 | 33 |
40 static std::string BuildReport(const std::string& hostname, | 34 scoped_ptr<net::URLRequest> CertificateErrorReporter::CreateURLRequest( |
41 const net::SSLInfo& ssl_info) { | |
42 CertLoggerRequest request; | |
43 base::Time now = base::Time::Now(); | |
44 request.set_time_usec(now.ToInternalValue()); | |
45 request.set_hostname(hostname); | |
46 | |
47 std::vector<std::string> pem_encoded_chain; | |
48 if (!ssl_info.cert->GetPEMEncodedChain(&pem_encoded_chain)) { | |
49 LOG(ERROR) << "Could not get PEM encoded chain."; | |
50 } | |
51 std::string* cert_chain = request.mutable_cert_chain(); | |
52 for (size_t i = 0; i < pem_encoded_chain.size(); ++i) | |
53 *cert_chain += pem_encoded_chain[i]; | |
54 | |
55 request.add_pin(ssl_info.pinning_failure_log); | |
56 | |
57 std::string out; | |
58 request.SerializeToString(&out); | |
59 return out; | |
60 } | |
61 | |
62 scoped_ptr<net::URLRequest> | |
63 ChromeFraudulentCertificateReporter::CreateURLRequest( | |
64 net::URLRequestContext* context) { | 35 net::URLRequestContext* context) { |
65 scoped_ptr<net::URLRequest> request = | 36 scoped_ptr<net::URLRequest> request = |
66 context->CreateRequest(upload_url_, net::DEFAULT_PRIORITY, this, NULL); | 37 context->CreateRequest(upload_url_, net::DEFAULT_PRIORITY, this, NULL); |
67 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | | 38 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | |
68 net::LOAD_DO_NOT_SAVE_COOKIES); | 39 net::LOAD_DO_NOT_SAVE_COOKIES); |
69 return request.Pass(); | 40 return request.Pass(); |
70 } | 41 } |
71 | 42 |
72 void ChromeFraudulentCertificateReporter::SendReport( | 43 void CertificateErrorReporter::SendReport(ReportType type, |
73 const std::string& hostname, | 44 const std::string& hostname, |
74 const net::SSLInfo& ssl_info) { | 45 const net::SSLInfo& ssl_info) { |
75 // We do silent/automatic reporting ONLY for Google properties. For other | 46 CertLoggerRequest request; |
76 // domains (when we start supporting that), we will ask for user permission. | 47 std::string out; |
77 if (!net::TransportSecurityState::IsGooglePinnedProperty(hostname)) { | 48 |
78 return; | 49 BuildReport(hostname, ssl_info, request); |
50 | |
51 switch (type) { | |
52 case REPORT_TYPE_PINNING_VIOLATION: | |
53 SendCertLoggerRequest(request); | |
54 break; | |
55 case REPORT_TYPE_EXTENDED_REPORTING: | |
56 // TODO(estark): Double-check that the user is opted in. | |
57 // TODO(estark): Temporarily, since this is no upload endpoint, just | |
58 // log the information. | |
59 request.SerializeToString(&out); | |
60 DVLOG(20) << "SSL report for " << hostname << ":\n" << out << "\n\n"; | |
Ryan Sleevi
2015/03/06 00:21:32
DVLOG(3) should be sufficient. That's the max nois
estark
2015/03/06 02:17:41
Done.
| |
61 break; | |
62 default: | |
63 NOTREACHED(); | |
79 } | 64 } |
65 } | |
80 | 66 |
81 std::string report = BuildReport(hostname, ssl_info); | 67 void CertificateErrorReporter::OnResponseStarted(net::URLRequest* request) { |
68 const net::URLRequestStatus& status(request->status()); | |
69 if (!status.is_success()) { | |
70 LOG(WARNING) << "Certificate upload failed" | |
71 << " status:" << status.status() | |
72 << " error:" << status.error(); | |
73 } else if (request->GetResponseCode() != 200) { | |
74 LOG(WARNING) << "Certificate upload HTTP status: " | |
75 << request->GetResponseCode(); | |
76 } | |
77 RequestComplete(request); | |
78 } | |
79 | |
80 void CertificateErrorReporter::OnReadCompleted(net::URLRequest* request, | |
81 int bytes_read) { | |
82 } | |
83 | |
84 void CertificateErrorReporter::BuildReport(const std::string& hostname, | |
85 const net::SSLInfo& ssl_info, | |
86 CertLoggerRequest& out_request) { | |
87 base::Time now = base::Time::Now(); | |
88 out_request.set_time_usec(now.ToInternalValue()); | |
89 out_request.set_hostname(hostname); | |
90 | |
91 std::vector<std::string> pem_encoded_chain; | |
92 if (!ssl_info.cert->GetPEMEncodedChain(&pem_encoded_chain)) { | |
93 LOG(ERROR) << "Could not get PEM encoded chain."; | |
94 } | |
95 std::string* cert_chain = out_request.mutable_cert_chain(); | |
96 for (size_t i = 0; i < pem_encoded_chain.size(); ++i) | |
97 *cert_chain += pem_encoded_chain[i]; | |
98 | |
99 out_request.add_pin(ssl_info.pinning_failure_log); | |
100 } | |
101 | |
102 void CertificateErrorReporter::SendCertLoggerRequest( | |
103 CertLoggerRequest& request) { | |
104 std::string serialized_request; | |
105 request.SerializeToString(&serialized_request); | |
82 | 106 |
83 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); | 107 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); |
84 url_request->set_method("POST"); | 108 url_request->set_method("POST"); |
85 | 109 |
86 scoped_ptr<net::UploadElementReader> reader( | 110 scoped_ptr<net::UploadElementReader> reader( |
87 net::UploadOwnedBytesElementReader::CreateWithString(report)); | 111 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); |
88 url_request->set_upload( | 112 url_request->set_upload( |
89 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); | 113 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); |
90 | 114 |
91 net::HttpRequestHeaders headers; | 115 net::HttpRequestHeaders headers; |
92 headers.SetHeader(net::HttpRequestHeaders::kContentType, | 116 headers.SetHeader(net::HttpRequestHeaders::kContentType, |
93 "x-application/chrome-fraudulent-cert-report"); | 117 "x-application/chrome-fraudulent-cert-report"); |
94 url_request->SetExtraRequestHeaders(headers); | 118 url_request->SetExtraRequestHeaders(headers); |
95 | 119 |
96 net::URLRequest* raw_url_request = url_request.get(); | 120 net::URLRequest* raw_url_request = url_request.get(); |
97 inflight_requests_.insert(url_request.release()); | 121 inflight_requests_.insert(url_request.release()); |
98 raw_url_request->Start(); | 122 raw_url_request->Start(); |
99 } | 123 } |
100 | 124 |
101 void ChromeFraudulentCertificateReporter::RequestComplete( | 125 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { |
102 net::URLRequest* request) { | |
103 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); | 126 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); |
104 DCHECK(i != inflight_requests_.end()); | 127 DCHECK(i != inflight_requests_.end()); |
105 scoped_ptr<net::URLRequest> url_request(*i); | 128 scoped_ptr<net::URLRequest> url_request(*i); |
106 inflight_requests_.erase(i); | 129 inflight_requests_.erase(i); |
107 } | 130 } |
108 | 131 |
109 // TODO(palmer): Currently, the upload is fire-and-forget but soon we will | |
110 // try to recover by retrying, and trying different endpoints, and | |
111 // appealing to the user. | |
112 void ChromeFraudulentCertificateReporter::OnResponseStarted( | |
113 net::URLRequest* request) { | |
114 // TODO(vadimt): Remove ScopedTracker below once crbug.com/422516 is fixed. | |
115 tracked_objects::ScopedTracker tracking_profile( | |
116 FROM_HERE_WITH_EXPLICIT_FUNCTION( | |
117 "422516 ChromeFraudulentCertificateReporter::OnResponseStarted")); | |
118 | |
119 const net::URLRequestStatus& status(request->status()); | |
120 if (!status.is_success()) { | |
121 LOG(WARNING) << "Certificate upload failed" | |
122 << " status:" << status.status() | |
123 << " error:" << status.error(); | |
124 } else if (request->GetResponseCode() != 200) { | |
125 LOG(WARNING) << "Certificate upload HTTP status: " | |
126 << request->GetResponseCode(); | |
127 } | |
128 RequestComplete(request); | |
129 } | |
130 | |
131 void ChromeFraudulentCertificateReporter::OnReadCompleted( | |
132 net::URLRequest* request, int bytes_read) {} | |
133 | |
134 } // namespace chrome_browser_net | 132 } // namespace chrome_browser_net |
OLD | NEW |